Jump to content

Recommended Posts

Yesterday, I watched with interest as several senators asked about the success criteria for the Framework.  Some were a little more snarkey than others, but it's a valid question. U.S. academic, industrial, and governmental orgs have invested millions of dollars - how do we calculate the return on that investment?


It seems like it needs to go beyond the talking phase - one could simply declare that they've selected a Tier to shoot for and say they're using the Framework. 


To run through the full cycle, while it could be done in days, is more likely to take several years.  Certainly we wouldn't measure only those who have completed all the steps in a comprehensive way.


So, how will we know if/when the Framework has achieved its goals?




Share this post

Link to post
Share on other sites

I'd argue that the main value of the framework was in its creation and socialization. It's not detailed enough to, with the content inside it, really move the ball too far forward from a risk reduction point of view. If we take Intel's report, for example, we can see that they primarily leveraged mature, advanced internal knowledge and capability to make effective use of the framework (and I really think they did a great job, to be clear).  If an organization doesn't have a fairly mature perspective already, they may be able to make a pretty standard looking security program by using the framework, but that program is pretty unlikely to actually reduce risk.


That said, now we have a flag. We've put down common practices in one place, created a document around which future policy discussions can occur, we have a place from which to advance more specific discussions, etc. And that, I think, is going to be the framework's primary long term success.  


If you want to effect and measure actual risk reduction - whether tactical and technical or strategic and environmental - it's going to be, by itself,  the wrong document to do so.  


What remains to do, and what wasn't really attempted by the framework, is to teach organizations to manage their environments and ecosystems outside of "build a better security program" and to more effectively link organizational behavior to security outcomes and then derive metrics from those boundaries.  


But that gets to the heart of how businesses make money and cannot be relegated to CISCO-levers and executive "Fund More Security" levers and so is unlikely to be resolved in a public-private partnership environment anytime soon without some substantial cultural shifts...


Anyway, just one opinion. :) 

Share this post

Link to post
Share on other sites

May be able to shed some light on implementation:


BSI is sponsoring the first annual CIO summit Wednesday, April 8th in Reston, VA. This all day event will offer keynotes from the NIST Frame Work Project Manager Matt Barrett and Program Director of the BBG and member of the residents Task Force for Executive Order 13636.


This is a free event open to the public and will include panel discussions and an implementation breakout session as well.


You can see the agenda and register at www.bsiamerica/cio

Share this post

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now